Suspect Spreading Philadelphia Ransomware Identified

In March 2017, cybercrime investigators in Austria made a breakthrough in a so-called “ransomware case.” Someone infected an Upper Austrian company with malware known as Philadelphia or the Philadelphia Ransomware. Investigators discovered the attacker responsible for the infection: a 19-year-old from the region. The suspect, armed with ransomware from the darknet, likely infected several other companies in the region, a Federal Criminal Officer explained.

Philadelphia quickly became known as one of the most user friendly malware kits for an attacker in 2016. A forum post, on the clearnet, explained where the ransomware came from, how attackers spread Stampado, and of course the price of Philadelphia. Cybercrime investigators in Austria heard an increasing number of reports from Upper Austrian countries that involved ransomware.

“I managed to compromise one user’s machine of underground community called “Alphabay” and intercepted their chat over jabber (Pidgin)…I know it’s not legal but imo we have to use the same methods to conquer them,” a forum user explained. “I never doxed his identification and not deanonymised him.” He uploaded the jabber conversation between the buyer and the developer of Philadelphia. Of note: the Philadelphia developer created the infamous Stampado malware.

Since the release and subsequent media coverage of Philadelphia, one company created a free decryption tool for infected users. This is extremely useful for any malware, and especially so for programs with a Russian Roulette or similar file deleter. Philadelphia utilized a Russian Roulette function that encouraged a payment.

The Upper Austrian company refused to pay the ransom of $400; they backed up all data on company machines on a routine basis. Despite avoiding the ransom and retaining the data, the Upper Austrian company still lost something. The malware caused $3,000 in damages, thanks to computer and database downtime as they waited Philadelphia out. News outlets reported the story with contradictory information, though. And one source mentioned that decryption software unlocked the machines before the malware destroyed everything. No matter the events – the company’s backup still kept them protected.

According to case investigators, the suspect initially lived in Upper Austria as well. Throughout the course of the investigation, he moved once and possibly twice. Police raided two apartments: one in Linz and one in Vienna. Again, details blurred themselves here but muddied the news only slightly. One source reported that the suspect lived in Linz. The other said he moved to Vienna after he moved to Linz. One news outlet reported that he denied the allegations but another reported that he avoided the police and remained at large.

Apartments at both locations provided investigators with physical evidence in the form of computers and data storage mediums. Officer Vincenz Kriegs-Au explained that analysis revealed the suspect used Philadelphia Headquarters on some of the machines. However, he said, analysts continued their work on the hard drives. If investigators gained access to the actual attacker interface on the machines, a map of infected targets would appear.

“The Philadelphia Headquarters is a software that works on your machine and allows you to generate unlimited builds, see the victims on a map and on a list,” the malware listing boasted. “And [it] also [includes] a “Give Mercy” button if you’re too good.” The “Give Mercy” feature contributed to the majority of the software’s success in the media. Additionally, this listing is private on Alphabay; only accessible via jabber to those without access.

The map of infected targets could prove additional companies received the malware. More specifically, the map data could prove the same suspect distributed the malware amongst multiple companies.